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Abstract 

This paper studies a variant of the McEliece cryptosystem able to 
ensure that the code used as the public key is no longer permutation- 
equivalent to the secret code. This increases the security level of the 
public key, thus opening the way for reconsidering the adoption of clas- 
sical families of codes, like Reed-Solomon codes, that have been longly 
excluded from the McEliece cryptosystem for security reasons. It is well 
known that codes of these classes are able to yield a reduction in the key 
size or, equivalently, an increased level of security against information set 
decoding; so, these are the main advantages of the proposed solution. We 
also describe possible vulnerabilities and attacks related to the considered 
system, and show what design choices are best suited to avoid them. 

Keywords: McEliece cryptosystem, Niederreiter cryptosystem, error correct- 
ing codes, Reed-Solomon codes, public key security. 



1 Introduction 

The McEliece cryptosystem [8] is one of the most promising public-key cryp- 
tosystems able to resist attacks based on quantum computers. In fact, differently 
from cryptosystems exploiting integer factorization or discrete logarithms, it re- 
lies on the hardness of decoding a linear block code without any visible structure 
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The original McEliece cryptosystem adopts the generator matrix of a binary 
Goppa code as the private key, and exploits a dense transformation matrix and a 
permutation matrix to disguise the secret key into the public one. It has resisted 
cryptanalysis for more than thirty years, since no polynomial-time attack to the 
system has been devised up to now; however, the increased computing power 
and the availability of optimized attack procedures have required to update its 
original parameters [4]. 

The main advantage of the McEliece cryptosystem consists in its fast encryp- 
tion and decryption procedures, which require a significantly lower number of 
operations with respect to alternative solutions (like RSA). However, the orig- 
inal McEliece cryptosystem has two main disadvantages: low encryption rate 
and large key size, both due to the binary Goppa codes it is based on. When 
adopting Goppa codes, a first improvement is obtained through the variant pro- 
posed by Niederreiter , which uses parity-check matrices instead of generator 
matrices. 

A significant improvement in both the encryption rate and the key size would 
be obtained if other families of codes could be included in the system, allowing a 
more efficient code design and a more compact representation of their matrices. 
In particular, the use of Reed-Solomon (RS) codes could yield significant advan- 
tages. In fact, RS codes are maximum distance separable codes, which ensures 
they achieve maximum error correction capability under bounded-distance de- 
coding. In the McEliece system, this translates into shorter keys for the same 
security level, or a higher security level for the same key size, with respect to 
binary Goppa codes (having the same code rate). In fact, Goppa codes are 
subfield subcodes of generalized RS codes and the subcoding procedure makes 
them less efficient than RS codes. However, this also makes them secure against 
key recovering attacks, while the algebraic structure of RS codes, when exposed 
in the public key (also in permuted form) , makes them insecure against attacks 
aimed at recovering the secret code [18] . 

Many attempts of replacing Goppa codes with other families of codes have 
exposed the system to security threats [2], [2D], and some recent proposals 
based on Quasi-Cyclic and Quasi-Dyadic codes have also been broken [TDJ . Low- 
Density Parity-Check (LDPC) codes, in principle, could offer high design flex- 
ibility and compact keys. However, also the use of LDPC codes may expose 
the system to severe flaws [10], [12]. Nevertheless, it is still possible to exploit 
Quasi-Cyclic LDPC codes to design a variant of the system that is immune to 
any known attack pQ. 

The idea in [T] is to replace the permutation matrix used in the original 
McEliece cryptosystem with a dense transformation matrix. The transformation 
matrix used in pQ is a sparse matrix and its density must be chosen as a trade- 
off between two opposite effects: i) increasing the density of the public code 
parity-check matrix so that it is too difficult to search for low weight codewords 
in its dual code and ii) limiting the propagation of the intentional errors so 
that they are still correctable by the legitimate receiver. The advantage of 
replacing the permutation with a more general transformation is that the code 
used as the public key is no longer permutation equivalent to the secret code. 
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Figure 1: The McEliece cryptosystem. 

This increases the security of the public key, as it prevents an attacker from 
exploiting the permutation equivalence when trying to recover the secret code 
structure. 

We elaborate on this approach by introducing a more effective class of trans- 
formation matrices and by generalizing their form also to the non-binary case. 
The new proposal is based on the fact that there exist some classes of dense 
transformation matrices that have a limited propagation effect on the inten- 
tional error vectors. The use of these matrices allows to better disguise the 
private key into the public one, with a controlled error propagation effect. So, 
we propose a modified cryptosystem that can restore the use of advantageous 
families of codes, as RS codes, by ensuring increased public key security. 



2 Description of the cryptosystem 

The proposed cryptosystem takes as its basis the classical McEliece cryptosys- 
tem, whose block scheme is reported in Figure [1] where u denotes a cleartext 
message and x its associated ciphertext. The main components of this system 
are: 

• A private linear block code generator matrix G 

• A public linear block code generator matrix G' 

• A secret scrambling matrix S 

• A secret permutation matrix P 

• A secret intentional error vector e 

As for the original system, the proposed cryptosystem can be implemented 
in the classical McEliece form or, alternatively, in the Niederreiter form. In 
both cases, the main element that differentiates the proposed solution from the 
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original cryptosystem is the replacement of the permutation matrix P with a 
dense transformation matrix Q, whose design is described next. 

2.1 Matrix Q 

The matrix Q is a non-singular n x n matrix having the form 

Q = R + T, (1) 

where R is a dense n x n matrix and T is a sparse n x n matrix. The matrices 
R, T and Q have elements in ¥ q , with q > 2. 

The matrix R is obtained starting from two sets, A and B, each containing 
w matrices having size z x n, z < n, defined over ¥ q : A = {ai,a2, . . . , a„,}, 
B = {bi, b 2 , . . . ,h w }. We also define a = J27=i a *- The matrices in A and B 
are secret and randomly chosen; then, R is obtained as: 



ai 


T 




a 2 




b 2 






_ h w 



where T denotes transposition. Starting from ([2]), we make some simplifying 
assumptions, aimed at reducing the amount of secret data that is needed to be 
stored. In fact, for the instances of the proposed cryptosystem we consider, we 
will focus on two cases, both with w — 2: i) ai = a, a 2 = and ii) b 2 = 1 + bi, 
where and 1 represent, respectively, the all-zero and the all-one z x n matrix. 
In both these cases, there is no need to store nor choose the matrix b 2 . For 
this reason, in order to simplify the notation, we will replace hi with b in the 
following. This obviously does not limit the applicability of the general form 
© of the matrix R. 

Concerning the choice of the matrix T, we denote by 11^ a generalized per- 
mutation matrix, that is, a matrix having only one non-zero element in each 
row and in each column, whose value is selected among the q — 1 non-zero ele- 
ments of ¥ q . The matrix T is then obtained as the sum of m > 1 generalized 
permutation matrices, chosen at random: 

T = n! + n 2 + ... + n m . (3) 

In the system we propose, the matrix Q, having the form (fTJ), replaces the 
permutation matrix P that is used in the original McEliece cryptosystem and 
in its Niederreiter version. As we will see in the following, both these versions 
exploit an intentional error vector e = [ei, e 2 , . . . , e„], randomly generated, hav- 
ing a predetermined weight t, like in the classical cryptosystem. Each error 
vector might then be subject or not to additional constraints, depending on the 
implementation we use, as shown later. Let us suppose now that a constraint 
is imposed to the vector e in the form: 

a • e T = 0. (4) 
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If we suppose that the matrix a is full rank, the number of constraints we 
impose on the intentional error vectors is equal to z. Obviously, in order to be 
implemented, this would require a to be disclosed as part of the public key, but, 
as we will see in the following, this, together with condition may introduce 
a weakness in the system. This issue will be discussed next, together with the 
ways to avoid such a weakness. 

For the moment, let us suppose that a is disclosed and that condition ((4]) is 
verified. As we will see in the following, for both versions of the cryptosystem it 
turns out that, during decryption, the matrix Q has a multiplicative effect on the 
intentional error vector e. As a result, e is transformed into e • Q = e • (R + T). 
If (|1]) holds, the contribution due to R becomes, for the two cases we focus on: 

e-R=( °' t -, !r a ;'?; 01 (5) 

|_ e ■ ■ 1, if b 2 = 1 + b. 

So, in the former case, e ■ Q reduces to e • T. In the latter case, instead, the 
legitimate receiver should know the value of e • aj to remove the contribution 
due to e • R. We will see in the following how this can be done. 

When the result of e • Q can be reduced to e ■ T, the use of the matrix Q as 
in ((T|) allows to amplify the number of intentional errors (at most) by a factor 
m. For m = 1, the required error correction capability is exactly the same as 
in the original McEliece and Niederreiter cryptosystems while, for m > 1, the 
limited error propagation effect can be compensated by using codes with a high 
error correction capability, as it occurs when adopting LDPC codes [T]. 

But the advantage of using the matrix Q is that it allows to disguise the 
private matrix of a code over ¥ q in a way that can be much stronger than what 
can be done by using a permutation matrix (as in the original McEliece system) . 

So, the proposed solution can help revitalizing previous attempts of using 
alternative families of codes in the McEliece system. A first idea is to reconsider 
the usage of RS codes over ¥ q . In the following sections we will show that the 
attacks that have prevented their usage in the past cannot be directly applied 
to the new variant, so that it shall be considered secure against them. 

2.2 McEliece version 

In the McEliece version of the proposed system, Bob chooses his secret key as 
the k x n systematic generator matrix G of a linear block code over ¥ q , able 
to correct t errors. He also chooses other two secret matrices: a k x k non- 
singular scrambling matrix S and the n x n non-singular transformation matrix 
Q, defined as in ((T|). The public key is: 

G' = S 1 G Q 1 . (6) 

So, in general, differently from the original McEliece cryptosystem, the public 
code is not permutation-equivalent to the private code. 

Alice, after obtaining Bob's public key, applies the following encryption map: 
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x = u-G' + e. (7) 
After receiving x, Bob inverts the transformation as follows: 

x' = x- Q = u- S 1 G + e Q, (8) 

thus obtaining a codeword of the secret code affected by the error vector e • Q. 

The special form we adopt for the matrix Q allows Bob to reduce e • Q to 
e • T. Obviously, this is immediately verified when e • R = 0, while it will be 
shown in Sections 13.21 and 13.31 how it can be achieved when e • R ^ 0. 

So, because of the limited error propagation effect that is due to T, Bob is 
able to correct all the errors and get u • S , thanks to the systematic form of 
G. He can then obtain u through multiplication by S. 

2.3 Niederreiter version 

The Niederreiter version of the proposed cryptosystem works as follows. Bob 
chooses the secret linear block code over ¥ q , able to correct t errors, by fixing 
its r x n parity-check matrix (H), and obtains his public key as 

H' = S -1 • H • Q T , (9) 

where the scrambling matrix S is a non-singular r x r matrix and the transfor- 
mation matrix Q is defined as in (JTJ. 

Alice gets Bob's public key, she maps the cleartext vector into a weight t 
error vector e and calculates the ciphertext as the syndrome x of e through H', 
according to 

x = H' e T . (10) 

In order to decrypt x, Bob first calculates x' = S • x = H • Q T • e T = 
H- (e • Q) T . The special form of Q allows Bob to reduce e - Q to e-T. Obviously, 
this is immediately verified when e • R = 0, while it will be shown in Sections 
13.21 and 13.31 how it can be achieved when e • R ^ 0. 

So, he gets H • T T • e T and, due to the limited error propagation effect of 
T, he is able to obtain T T • e T by performing syndrome decoding through the 
private linear block code. Then, he multiplies the result by (T T ) _1 and finally 
demaps e into its associated cleartext vector u. 

In order to reduce the public key size, the matrix H', defined by ©, can 
be put in systematic form. Let us divide H' into a left r x r matrix H'; and a 
right r x k matrix H' r , i.e. H' = [H'(|H' r ]. We can suppose, without loss of 
generality, that H'; is full rank and obtain the systematic form of H' as: 

H" = (H',) -1 • H'. (11) 

If H" is used as the public key, only its rightmost k columns are needed to 
be stored. When Alice uses H" for encryption, she obtains a public message 
x" = H" • e T . Then, Bob must compute x = H'; • x" in order to get x as 
expressed by (flO|) . 
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3 System design 



In this section, we describe some critical aspects and possible weaknesses that 
must be carefully considered in the design of the proposed system. 

3.1 Subcode vulnerability 

When a = ai and a 2 = 0, a possible vulnerability results from condition 
((U), since, in such a case, a subcode of the public code is exposed, that is 
permutation-equivalent to a subcode of the private code. In fact, if we refer to 
the Niederreiter version of the system, an attacker could consider the subcode 
generated by the following parity-check matrix: 



He 



H' 




S 1 H 


a 




a 



S 1 H R +S 1 H T 
a 



(12) 



Each codeword c in the code defined by Hg must verify a • c T = 0. Due 
to the form of R, this also implies R T ■ c T = 0, so H5 defines a subcode of 
H' in which all codewords satisfy S _1 • H • T T • c T = 0. Hence, the effect of 
the dense R is removed and, when T is a permutation matrix (that is, when 
m = 1), the subcode defined by H5 is permutation-equivalent to a subcode of 
the secret code. 

The same vulnerability can also occur when b2 = 1 + b. In fact, in this case, 



R 



ai 


T 


b 


a 2 




1 + b 



aT • 1 



and 



H R 



H b a + H V 



a 2 . 



(13) 



(14) 



So, when the private code includes the all-one codeword, that is, H • 1 T = 0, 
it results H • R T = H ■ b r • a and a vulnerable subcode is still defined by H5 
as in (fl2")) . For this reason, when R is defined as in (fT3")) . codes including the 
all-one codeword cannot be used as secret codes. For example, when an RS code 
defined over ¥ q having length n = q — 1 is used, the all-one codeword is always 
present. Shorter lengths should be considered in order to avoid the presence of 
the all-one codeword. 

When an RS code is used and one of its subcodes is exposed (except for a 
permutation), an opponent could implement an attack of the type described in 
[20] , It is possible to verify that, for practical choices of the system parameters, 
the subcode defined by given by (| 1 2[) is always weak against such an attack. 

A similar situation occurs if LDPC codes are used as private codes, since 
low weight codewords could be searched in the dual of the subcode defined by 
H<j, so revealing some rows of H (though permuted). Moreover, the existence 
of low weight codewords in the dual of a subcode of the public code could be 
dangerous for the system security even when H5 is not available to an attacker, 
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since such codewords could still be searched in the dual of the public code. So, 
when dealing with LDPC codes, it is always recommended to define T as a sum 
of permutation matrices (that is, to fix m > 1) in order to avoid the existence 
of codewords with low weight in the dual of the public code pQ . 

In the following subsections we propose two implementations of the cryp- 
tosystem that avoid the subcode vulnerability. We describe them by making 
reference to the Niederreiter version of the cryptosystem, but they can also be 
applied to its McEliece version. 



3.2 First implementation 

A first solution to overcome the subcode vulnerability consists in maintaining 
ai = a and a2 = 0, but hiding the constraint vector a. This obviously would 
also eliminate the need of selecting the intentional error vectors according to 
condition ((4]). 

We refer to the Niederreiter version of the cryptosystem and we fix, for 
simplicity, z = 1, but the same arguments can easily be extended to the general 
case 1 < z < n. Let us suppose that a is private and that the error vector e 
generated by Alice is such that a • e T = 7, with 7 € W q . It follows that 

R T e T = 7 b T (15) 

and 

x' = S x = 7H b T + H • T T e T . (16) 
In this case, Bob can guess that the value of 7 is 75 and compute 

x" = x'- 7B H-b T 

= (7- 7B )H-b T + H-T T -e T . [U) 

So, if 7_b = 7, Bob obtains x" — H • T T • e T . In such a case, he can recover 
e through syndrome decoding, check its weight and verify that a • e T = jb- 
Otherwise, it is 7b ^ 7 and, supposing that b is not a valid codeword, syndrome 
decoding fails or returns an error vector e' 7^ e. This latter case is extremely 
rare, as shown below, and can also be identified by Bob by checking the weight 
of e' and the value of a • e' T . So, by iterating the procedure, that is, changing 
the value of 73, Bob is able to find the right 7. 

The probability of finding a correctable syndrome e', for 75 ^ 7, is very 
low. In fact, since b is randomly chosen, when 73 ^ 7 we can suppose that the 
vector (7 — 7_b)H • b T is a random rxl vector over ¥ q . The total number of 
correctable syndromes is X)*=i (?) (<? — 1 while the total number of random 
rxl vectors is q r . So, the probability of obtaining a correctable syndrome is: 

P e = E ^ Slfaz^ , (i 8) 

The value of P e , for practical choices of the system parameters, is very low. 
For example, by considering the set of parameters used in the original McEliece 
cryptosystem, that is, q = 2, n = 1024, k = 524, t = 50, it results P e ~ 10~ 65 . 
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In concluding this subsection, we notice that, by using such an implementa- 
tion, the complexity of the decryption stage is increased, on average, by a factor 
< (q + l)/2 with respect to the classical Niederreiter implementation. In fact, 
the average number of decryption attempts needed by Bob becomes (q + l)/2. 
However, some steps of the decryption procedure do not need to be repeated; 
so, an increase in the decryption complexity by a factor (q + l)/2 corresponds 
to a pessimistic estimate. 

3.3 Second implementation 

A second solution to the subcode vulnerability is to adopt the choice a = ai+a2, 
b2 = 1 + b and to preserve condition (j4j, that implies, for Alice, the need to 
perform a selection of the error vectors. In this case, according to ([5]): 

R T • e T = 1 T • a 2 • e T . (19) 

If we fix, for simplicity, z — 1 (but the same arguments can easily be extended 
to the general case 1 < z < n) and suppose to work over ¥ q , the possible values 
of a = sl2 ■ e T are, obviously, q. So, Bob needs to make up to q guesses on the 
value of a. 

First, Bob computes x' = S • x = H (R + T) T • e T . By using (fT9"|) . we have: 

x' = H • 1 T • a + H ■ T T • e T . (20) 

We observe that, if the secret code included the all-one codeword, then H • 
1 T = and Bob would not need to guess the value of a. However, in this version 
of the cryptosystem, the use of codes including the all-one codeword is prevented 
by the subcode vulnerability, as shown in Section [3. 1[ so this facilitation cannot 
be exploited. Instead, Bob needs to make a first guess by supposing a = as 
and to calculate 

x" QB = x' - H • 1 T • a B = H • 1 T • {a - a B ) + H • T T • e T . (21) 

If c*b — a, then x" a£J = H • T T • e T ; therefore, Bob can recover e through 
syndrome decoding, check its weight and verify that a 2 • e T = Ob. Otherwise, 
the application of syndrome decoding on x" aB results in a decoding failure or 
in obtaining e' ^ e, for as ^ ol. As for the first implementation, in this case 
the probability of obtaining a correctable syndrome e' is very small; so, when 
ocb 7^ a, the decoder will end up reporting failure in most cases. 

Also in this case, the average number of decryption attempts needed by Bob 
is (q + l)/2, and the decryption complexity increases by a factor < (q + l)/2. 

Concerning the subcode vulnerability, by using &i =/= & and a 2 ^ a, the 
matrix H5 as in (|12p no longer defines a subcode permutation-equivalent to a 
subcode of the secret code. So, provided that the private code does not include 
the all-one codeword (for the reasons explained in Section 13. ip . the subcode 
vulnerability is eliminated. 

Note that an attacker could try to sum two rows of H', hoping that one of 
them corresponds to a copy of the vector ai in R and the other to a copy of 
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the vector SL2, so that the sum of the two rows might still contain the vector 
a. If he were able to select only those sums of this type, then he might be 
able to find a weak subcode. This appears to be a hard task for the following 
reasons. If he adds one row with all the other rows, he would get, on average, 
only r/2 = in — k)/2 rows containing the vector a, while the other sums would 
contain 2ai or 2a2; even if he were able to select the rows corresponding to a, 
the dimension of the subcode would not be large enough for a feasible attack [9] , 
[2D] . Furthermore, effectively obtaining a in the sum of two rows also depends 
on how H is built, i.e. it may occur only if some special relations between 
elements of H are satisfied. Lastly, to sum pairs of rows would also imply to 
sum pairs of rows of T T ; so, their (very low) weight would be doubled with a 
very high probability, making decoding harder. 

For these reasons, it seems not easy to devise a further vulnerability for the 
subcode that may allow to mount an attack against this implementation. 

3.4 Choice of Q 

Also the choice of the matrix Q can show some critical aspects. Let us fo- 
cus on the binary case (q = 2) and consider a particular instance of the first 
implementation, in which the matrix Q is obtained as 

Qi=R + P x , (22) 

with Pi being a permutation matrix and 

R = a T • b = [ a\ a 2 ■■■ a n ] T ■ [ bi b 2 ■■■ b n ] , (23) 

where a and b are two random vectors over F2. 

In the choice of Qi it is important to avoid some special cases which could 
allow an attacker to derive a code that is permutation-equivalent to the secret 
one, thus bringing security back to that of the classical McEliece system. 

Let us suppose that the j-th element of b is zero and that Pi has a symbol 
1 at position (i,j). In this case, the j-th column of Qi is null, except for its 
element at row i. Since Q^ -1 = Q/ |Q|, where Q is the adjoint matrix and |Q| is 
the determinant of Qi, it follows from the definition of Q that the i-th column 
of Q^ 1 is null, except for its element at row j. So, the i-th column of Q^ 1 has 
the effect of a column permutation, like in the original McEliece cryptosystem. 

In order to avoid such a possible flaw, we impose that all the elements of b 
are non-zero. If we limit to the binary case, this imposes that b is the all-one 
vector. However, in such a case, further issues exist in the design of Q. For 
example, let us consider a as an all-one vector too, so that R = 1. A valid 
parity-check matrix for the public code is: 

H' = H Q T , (24) 

where H is the parity-check matrix of the private code. In the special case of 
Qi = 1 + Pi, we have H' = H • 1 + H • P^. By assuming a regular H (i.e. with 
constant row and column weights), two cases are possible: 
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• If the rows of H have even weight, H • 1 = and H' = H • . 

• If the rows of H have odd weight, H 1 = 1 and H' = 1 + H Pf . 

In both cases, the public code has a parity-check matrix that is simply a per- 
muted version of that of the secret code (or its complementary) . This reduces 
the security to that of the original McEliece cryptosystem, that discloses a per- 
muted version of the secret code. Such a security level is not sufficient when 
adopting, for example, LDPC codes, since the permuted version of the secret 
matrix H can be attacked by searching for low weight codewords in the dual of 
the secret code. 

A more general formulation of the flaw follows from the consideration that 
Qi = 1 + Pi has a very special inverse. First of all, let us consider that Qi is 
invertible only when it has even size. This is obvious since, for odd size, Qi has 
even row/column weight; so, the sum of all its rows is the zero vector. If we 
restrict ourselves to even size Qi matrices, it is easy to show that their inverse 
has the form Q^ 1 = 1 + Pj , due to the property of permutation matrices (as 
orthogonal matrices) to have their inverse coincident with the transpose. 

So, Qj -1 has the same form of Qi and, as in the case of H, disclosing G' = 
S _1 GQj~ 1 might imply disclosing a generator matrix of a permuted version 
of the secret code or its complementary (depending on the parity of its row 
weight). Therefore, the form Qi = 1 + Pi might reduce the security to that of 
the permutation used in the original McEliece cryptosystem. 

Based on these considerations, one could think that adopting a vector a 
different from the all-one vector could avoid the flaw. However, by considering 
again that Q^ 1 = Q/|Q|,itis easy to verify that a weight- 1 row in Qi produces 
a weight- 1 row in Q7 1 and a weight- (n — 1) row in Qi produces a weight- 
[n — 1) row in Qf 1 . It follows that Q^ 1 contains couples of columns having 
Hamming distance 2. Since their sum is a weight-2 vector, the sum of the 
corresponding columns of the public matrix results in the sum of two columns 
of S _1 G. Starting from this fact, an attacker could try to solve a system of linear 
equations with the aim of obtaining a permutation-equivalent representation of 
the secret code, at least for the existing distance-2 column pairs. 

So, our conclusion concerning the binary case is that the choice of Q as in 
([22|) and (|23|) should be avoided. A safer Q is obtained by considering z > 1 
and more than one permutation matrix (i.e. m > 1). This obviously has the 
drawback of requiring codes with increased error correction capability. 

4 Comparison with other variants of the McEliece 
cryptosystem 

The main difference between the proposed cryptosystem and many other vari- 
ants of the McEliece cryptosystem consists in the way the secret generator 
matrix is disguised into the public one, that is, by using a more general trans- 
formation matrix in the place of the permutation matrix. 
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Other proposals for increasing key security have been made in the past, such 
as using a distortion matrix together with rank codes in the GPT cryptosystem 
[5] and exploiting the properties of subcodes in variants of the McEliece and 
the GPT cryptosystems Unfortunately, cryptanalysis has shown that such 
approaches exhibit security flaws [13], [20] . 

The idea of using a rank-1 matrix with the structure (|23[) can be found in [5J. 
However, such a matrix was added to the secret matrix (rather than multiplied 
by it) and no selection of the error vectors was performed, so that a completely 
different solution was implemented. 

Instead, the idea of replacing the permutation in the McEliece cryptosystem 
with a more general transformation matrix is already present in the variant of 
the GPT cryptosystem adopting a column scrambler [13], [17] and in cryptosys- 
tems based on full decoding 7\ sec. 8.3]. These proposals are shortly examined 
next. 

4.1 Comparison with the modified GPT cryptosystem 

The original GPT cryptosystem has been the object of Gibson's attack. To 
counter such an attack, in [13] a variant including a column scrambler in place 
of the permutation matrix has been proposed. 

Apart from the code extension and the inclusion of an additive distortion ma- 
trix, in the modified GPT cryptosystem the public generator matrix is obtained 
through right-multiplication by a non-singular matrix that is not necessarily 
a permutation matrix. So, in principle, it is the same idea of using a more 
general transformation matrix as in the proposed cryptosystem. However, in 
order to preserve the ability to correct the intentional error vectors, the GPT 
cryptosystem works in the rank metric domain and adopts rank distance codes, 
as Gabidulin codes. 

Unfortunately, the properties of Gabidulin codes make it possible to exploit 
the effect of the Frobenius automorphism on the public generator matrix in order 
to mount a polynomial-time attack |14| . Recently, it has been shown that this 
attack can be avoided [17j . but the cryptosystem still needs to work with rank 
distance codes. Differently from the GPT cryptosystem, the proposed solution 
is able to exploit Hamming distance codes, that are more widespread than rank 
distance codes, can be chosen to have convenient properties or structure, like 
RS codes, and may take advantage of many efficient codec implementations that 
are already available. 

4.2 Comparison with full-decoding cryptosystems 

The main idea behind full-decoding cryptosystems in [7] is to let the intentional 
error vectors have any arbitrary weight. This way, an attacker would be forced 
to try full-decoding of the public code, that is known to be a NP-complete task. 
Obviously, the legitimate receiver must be able to decode any intentional error 
vector with reasonable complexity; so, the problem of full decoding must be 
transformed from a one-way function to a trapdoor function. For this purpose, 
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the main idea is to use a transformation that maps a set of error vectors with 
weight < t into a set of arbitrary weight intentional error vectors. 

If this transformation is represented by the n x n matrix M, the public code 
(as proposed first in |7;) would be G' = G • M. The basic point for obtaining 
a trapdoor function is to make Alice use only those error vectors that can be 
expressed as e' = e • M, where e is a weight-i error vector. This way, when Bob 
uses the inverse of the secret matrix M to invert the transformation, he re-maps 
each arbitrary weight error vector into a correctable error vector. Unauthorized 
users would instead be forced to try full-decoding over arbitrary weight error 
vectors; so, the trapdoor is obtained. 

The set of intentional error vectors used in full-decoding cryptosystems is 
not the set (or a subset) of the correctable error vectors, as in the proposed 
cryptosystem, but a transformed version of it. In fact, the purpose of full- 
decoding cryptosystems is to increase the security level with respect to the 
McEliece cryptosystem by relying on a problem that is harder to solve. In 
order to exploit the full-decoding problem, Alice must use for encryption only 
those error vectors that can be anti-transformed into correctable error vectors. 
So, some information on the transformation used to originate them must be 
disclosed. A solution is that the first p < n rows of M are made public [TJ. 
However, it has been proved that, this way, the security reduces to that of 
the original McEliece cryptosystem, and an attacker does not have to attempt 
full-decoding, but only normal decoding. 

Further variants aim at better hiding the secret transformation matrix in 
its disclosed version [7j. In the last variant, a generator matrix of a maximum 
distanced anticode is used to hide the secret transformation. This way, after 
inverting the secret transformation, the error vector remains correctable for the 
legitimate receiver. To our knowledge, the latter version has never been proved 
to be insecure nor to reduce to the same problem of the original McEliece 
cryptosystem. However, the construction based on anticodes seems unpractical. 

Differently from full-decoding cryptosystems, our proposal still relies on the 
same problem as the original McEliece cryptosystem (that is, normal decoding); 
so, no transformation is performed over the correctable random error vectors, 
but we need, at most, only a selection of them. For this reason, the information 
leakage on the secret transformation matrix that is needed in the proposed cryp- 
tosystem is considerably smaller with respect to what happens in full-decoding 
cryptosystems. 

5 Attacks against the proposed cryptosystem 

A first concern about the proposed cryptosystem is to verify that it is actually 
able to provide increased key security, with respect to previous variants of the 
McEliece cryptosystem, in such a way as to allow the use of widespread families 
of codes (as RS and Generalized RS codes) without incurring in the attacks that 
have prevented their use up to now. 

From the comparison with the variants described in Sections 14.11 and 14.21 
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we infer that previous attacks targeted to those cryptosystems do not succeed 
against the proposed one, due to the differences in the family of codes used and 
in the information leakage on the secret transformation. Concerning the latter 
point, we observe that, even if the whole matrix R (and not only the vector 
a) was public, an attacker would not gain much information. In fact, in this 
case, he could compute x • R = u • G' • R. However, for the choices of the 
parameters we consider, R has rank < n, so G' ■ R is not invertible. Moreover, 
multiplication by G' • R only provides a small dimension syndrome of u, whose 
decoding is known to be a hard problem [3J. 

The most powerful attack procedures against our proposed solution are those 
techniques that attempt information set decoding (ISD) on the public code; so 
we estimate the security level of the proposed cryptosystem against this kind of 
attacks. Actually, there is no guarantee that the public code, defined through 
the generator matrix ([B]) or, equivalently, the parity-check matrix ([5]), maintains 
the same minimum distance and error correction capability of the secret code. 
Since the private code is already a very good code, and the transformation 
matrix is randomly chosen, the public code will most probably be worse than 
the private one. So, in estimating the security level as the work factor of ISD 
attacks, we make the pessimistic assumption that the public code is still able 
to correct all intentional errors. 

5.1 ISD attacks 

In [1] the authors have proposed some smart speedup techniques to reduce the 
Stern algorithm work factor (WF) over the binary field, this way obtaining a 
theoretical WF close to 2 60 . Their attack was implemented on a big cluster 
of computers that was able to break the McEliece cryptosystem with original 
parameters (n = 1024, k — 524, t — 50). As a consequence, the authors 
have proposed some new set of system parameters in order to increase the 
security level. The information set decoding attack is not polynomial in the code 
dimension, since it aims at decoding a random linear code without exploiting any 
structural property (even if present) and this task is notoriously non-polynomial. 
One of the biggest improvements presented in 0] is a smart way to find k 
independent columns in the public generator matrix at each iteration without 
performing Gaussian reduction on all such columns. A further improvement 
consists in the pre-computation of the sum of some rows during the reduction. 

In [16], Peters points out that these speedups are efficient on very small fields. 
As it results from the table available in [15], for q > 16 the maximum values 
of the speedup parameters are c = 2, r = 1, where c represents the number 
of columns to be changed in the case an iteration fails and r is the number 
of rows in a single pre-sum (1 means no speedup). So, for large fields, these 
speedups are not relevant and the algorithm is quite similar to Stern's one. The 
difference relies on guessing not only p error positions but also p error values in 
the k independent columns, due to the field cardinality. Finiasz and Scndricr 
have proposed a further improvement that could yield a slight modification in 
the WF, resulting in a maximum increase of 2 6 or a maximum decrease close to 
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2 3 . 

In Table Q] we report some values of the WF when using RS codes in the 
variant of the McEliece cryptosystem we propose. They were computed through 
the PARI / GP script available in [TS] , that allows the estimation of the security 
level, although it is not extremely accurate (it can be about 4-8 times higher 
than the actual value). The reported WF values are the lowest ones obtained 
for each set of parameters. We observe from Table [1] that, in order to reach a 
satisfactory level of security (that is, WF > 2 80 ) we need to adopt RS codes 
defined on F256 or more. Based on Table [TJ we can compare the proposed 
cryptosystem with the instances of the McEliece system presented in [J] . 

5.1.1 Example 1 

To reach WF > 2 80 , the (1632, 1269) Goppa code is suggested, resulting in a 
public-key size of 460647 bits (obtained by storing the non-systematic part of 
H, as in the Niederreiter cryptosystem). 

With the new variant, we can consider the RS code with n = 255, k = 195, 
t = 30, having an estimated WF « 2 86 06 and an actual WF w 2 84 18 (found 
through the C program available in 15.). We can consider the Niederreiter 
version of the first implementation (see Section T3.2p . and use H", defined by 
(fTTj) . having elements over F 2 56, as the public key. 

This way, we need to store only the last k columns of H", so obtaining a 
public key size of 93600 bits, that is about 80% less than in the revised McEliece 
cryptosystem [4]. If we instead adopt the second implementation (see Section 
13.31) . we also need to store the 1 x 255 vector a, with elements over F256. This 
would increase the public key size by 2040 bits, that is not a significant change. 

The security level of the two systems remains comparable when the con- 
straint expressed by a is imposed on the intentional error vectors of the modified 
cryptosystem. In fact, as it will be shown in the next subsection, the introduc- 
tion of each constraint results in a decreased WF for the ISD attack of 2 3 at 
most. 

5.1.2 Example 2 

As another example, we can consider the Goppa code suggested in [J] to achieve 
WF > 2 128 , which has n = 2960, k = 2288, yielding a key length of 1537536 
bits. 

An RS code with the same rate (0.77), defined over F512, is reported in Table 
[T]and has n = 511, k — 395. By considering this code in the Niederreiter version 
of the first implementation (see Section l3~2|) . and storing the last k columns of 
H", defined by (|11[) . we obtain a public key size of 412380 bits, that is about 
73% less than in the revised McEliece cryptosystem. 

Moreover, by using the new system, the security level grows up to 2 158 ' 67 
(more precisely, it is estimated as 2 155 - 89 with the C program from 15 ). This 
value remains very high even when we consider the presence of the constraint 
expressed by a on the intentional error vectors. 
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Table 1: Work factor (log 2 ) of ISD attacks on RS codes. 



RS codes with n — 127 defined over F12S 


Rate 


0.75 


0.73 


0.72 


0.70 


0.69 


0.67 


0.65 


0.64 


0.62 


0.61 


0.59 


0.57 


0.56 


0.54 


0.53 


t 


16 


17 


18 


19 


20 


21 


22 


23 


24 


25 


26 


27 


28 


29 


30 


WF 


49.2 


50.1 


51.0 


51.7 


52.3 


52.8 


53.3 


53.7 


54.0 


54.2 


54.3 


54.4 


54.4 


54.4 


54.2 


RS codes with n — 255 defined over F256 


Rate 


0.81 


0.80 


0.78 


0.76 


0.75 


0.73 


0.72 


0.70 


0.69 


0.67 


0.65 


0.64 


0.62 


0.61 


0.59 


t 


24 


26 


28 


30 


32 


34 


36 


38 


40 


42 


44 


46 


48 


50 


52 


WF 


79.0 


81.6 


83.9 


86.1 


87.9 


89.6 


91.1 


92.4 


93.5 


94.4 


95.2 


95.8 


96.2 


96.5 


96.7 


RS codes with n — 511 defined over F512 


Rate 


0.94 


0.93 


0.91 


0.90 


0.89 


0.88 


0.87 


0.86 


0.84 


0.83 


0.82 


0.81 


0.80 


0.78 


0.77 


t 


16 


19 


22 


25 


28 


31 


34 


37 


40 


43 


46 


49 


52 


55 


58 


WF 


81.3 


90.1 


98.1 


105.6 


112.4 


118.8 


124.7 


130.2 


135.3 


140.0 


144.3 


148.4 


152.1 


155.5 


158.7 



5.2 Exploiting the knowledge on error vectors 

It is important to assess whether the constraints that may be imposed on the 
intentional error vectors in the proposed cryptosystem have any consequences 
on its security. 

For this purpose, a conservative approach consists in considering, in the WF 
computations, a reduced number of intentional errors, that is, t' = t — z. This 
approach is conservative in the sense that we assume that the attacker exactly 
knows both the position and the value of z errors, while he actually knows only 
their values. We can estimate the WF of an ISD attack in this scenario by using 
the same procedure as in Section [5~T1 This has been done in Table [2j As we can 
observe from the values obtained (and their comparison with those reported in 
Table [TJ corresponding to z = 0), we have a WF decrease close to 2 3 when z 
is increased by 1. So, the security level for the considered parameters does not 
vary significantly, on condition that the value of z is kept small. 



Table 2: Work factor (log 2 ) of ISD attacks on RS codes with n = 255, defined 
over F 2 56, when z = 1 or z = 2 constraints arc imposed on the error vectors. 



Rate 


0.81 


0.80 


0.78 


0.76 


0.75 


0.73 


0.72 


0.70 


0.69 


0.67 


0.65 


0.64 


0.62 


0.61 


0.59 


t 


24 


26 


28 


30 


32 


34 


36 


38 


40 


42 


44 


46 


48 


50 


52 


WF (z = 1) 


75.9 


78.6 


81.1 


83.3 


85.3 


87.0 


88.6 


90.0 


91.2 


92.2 


93.0 


93.7 


94.2 


94.6 


94.8 


WF (z = 2) 


72.8 


75.6 


78.2 


80.5 


82.6 


84.5 


86.1 


87.6 


88.9 


89.9 


90.9 


91.6 


92.2 


92.6 


92.9 



6 Conclusion 

We have introduced a variant of the McEliece cryptosystem that, by replacing 
the secret permutation matrix with a more general transformation matrix, is 
able to avoid that the public code is permutation-equivalent to the secret code. 
This allows to prevent attacks against classical families of codes, as RS codes, 
and to reconsider them as possible good candidates in this framework. 
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We have proposed some practical implementations of the new cryptosys- 
tem, by considering both its McEliece and Niederreiter variants, and we have 
addressed some important issues that may influence their design. 

We have also assessed the security level of the proposed cryptosystem by 
considering up-to-date attack procedures, and we have compared it with the 
classical McEliece cryptosystem and the Niederreiter variant. Our results show 
that the proposed solution, by exploiting RS codes, is able to guarantee an 
increased security level and, at the same time, a considerable reduction in the 
public key size. 
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